Question

TwidF on Wed, 28 Sep 2016 00:23:29

Hi,

Our checkpoint firewalls are not passing the information expected with the token code to our MFA server.

It works with our ASA firewalls, but with the Checkpoint firewalls, after the LDAP auth works and it sends the challenge response for token code, the reply with the Token code comes back from the Checkpoint however Azure gives error "response did not
contain password".

Can someone please help with getting a RADIUS dictionary for the Azure server, so I can provide this to checkpoint support?

Thanks,

Greg

Sponsored

Replies

Neelesh Ray -MSFT on Wed, 28 Sep 2016 15:54:39

Hello,

We are checking on the query and would get back to you soon on this.
I apologize for the inconvenience and appreciate your time and patience in this matter.

Regards,
Neelesh

shawnb_ms on Mon, 03 Oct 2016 23:03:49

Your post mentions both LDAP and RADIUS. Checkpoint should just be sending a RADIUS Access request to MFA Server. It validates username/password and if the user is in one-way SMS or OATH token mode, issues an Access Challenge response. Checkpoint should
prompt for the OTP and submit that back to MFA Server. I believe you will need to use PAP for the Challenge to work successfully.

Brian Desmond on Mon, 03 Oct 2016 23:34:50

The way I read the OP's response, the Checkpoint is configured to do an LDAP AuthN and then it tries to step-up to an OTP via RADIUS. AFAIK this isn't a scenario that the MFA Server supports. You need to have the CheckPoint do RADIUS end-to-end.

TwidF on Tue, 04 Oct 2016 00:45:29

Hiya,

Thanks for the reply.

Like you said, Checkpoint does prompt for the OTP, and send it back, however the Microsoft MFA server gives an error "response did not contain password".

If I change to PAP from MSCHAPv2, the whole thing fails and does not get to the OTP stage.

Doing a packet capture between a ASA firewall and Azure MFA, I can see the OTP response does indeed contain the AD password, wheras the response from the Checkpoint does not, so the error on the MFA server appears to be correct.

TwidF on Thu, 06 Oct 2016 23:05:52

Hello,

We are checking on the query and would get back to you soon on this.
I apologize for the inconvenience and appreciate your time and patience in this matter.